Could someone provide an ELI5 version on the advantages of coreboot? Is it simply an open source version of BIOS that is mlre secure since there will be more eyes on potential vulnerabilties?
I’m new to this area of computers and not something I know much about
@TibialCuriosity I can’t claim to be an expert, but from my understanding the main advantages are the following:
@Jason_Hottelet interesting. Thank you for the info! It’ll be cool to see it implemented and the differences. Would probably wait til the community tests it out more (whenever it is released) so i don’t break anything
As someone that’s very much a hardware tinkerer and has more time with DIY desktops than laptops, there’s a whole slew of BIOS options that are common on DIY desktop motherboards that are almost always completely nonexistent on laptops and/or pre-built motherboards, and I don’t just mean overclocking either - things like fan curves and being able to turn down the CPU (underclock, down-core, undervolt, etc) are things I particularly care a lot about.
Additionally, Framework has a lot of Linux-focused users and, as more and more black-box “security” chips get embedded into modern CPUs (Intel ME as well as Microsoft Pluton come to mind), the likes of open firmware is one way to shed some light as well as giving some control back to the user.
Lastly, I’ve a bit of a history with locked-down BIOSes that left a bit of a bad taste in my mouth, especially when the hardware supports a function but the BIOS doesn’t let you use it, thereby requiring resulting in inconvenient work-arounds (e.g. undervolting via software that may only be available on a specific OS), sub-optimal performance (e.g. no AHCI support and therefore no TRIM on a SATA SSD), or straight-up being unable to use the function altogether (exhibit A: ECC memory).
A very recent example of a locked-down BIOS that I’ve run into is that, about a week ago, I came into procession of a NUC-like device and it’d be be neat if it could boot up whenever connected to AC power in a manner similar to what the Framework laptop can do, but the BIOS on the aforementioned NUC-like device does not provide such a function… (also its fan-curve is terrible and can’t be configured, which is a big reason its previous owner gave it to me, so I’m forced to remove the stock fan(s) and do a derpy rig-up with dual 120mm desktop case fans powered via USB).
Thanks for the info, @NM64
Now that I have a new framework Qubes, I have hope about BIOS.
And, as I replace my desktop, you have given me a few more things to look for
Just latest note of what Framework will try to do for Coreboot according to nrp’s comment in Hacker News.
We’ve handed three systems that can boot unsigned bootloaders to folks in the coreboot community. Our plan in the near term is to help them create a shim loader that can be signed to run on any Framework Laptop, which then enables anyone to do further coreboot development.
Hey @nrp thanks for your efforts on this, it is genuinely very cool to see. How exactly will this shim work? Is exploiting an Intel vulnerability, or something else? Also, is it possible subsequent Framework laptops will not need the shim?
@Lewis_T from what i’ve read, this will be a small shim which is signed in a similar way to how Framework sign their own BIOS images today. instead of booting the proprietary firmware, the shim quickly hands off control to any user defined image instead (for example, coreboot/tianocore).
you can think of this as analogous to the boot shim for secureboot kernels which has been signed by microsoft to allow linux distributions such as debian to control the early secureboot process. but this BIOS shim would take over much earlier in the boot process. hopefully, and i suspect this to be the case, the shim will still support some form of user-controlled signing so that the devices aren’t left open to compromise by evil maid attack, etc.
Another one here hoping for coreboot. Having the option to choose coreboot already being installed and alternative OSs would be great too (Qubes, others). Also having the option to disable Intel ME/AMD PSP would be stellar.
@khimaros
I totally agree. A device, where everyone can “flash” a BIOS sounds great for development and testing. Also every user could run a BIOS like they want, e.g. without Intel ME and stuff.
For security it could be a nightmare. I hope this will be implemented like the verified boot on Android devices [0].
No screen: Framework signed firmware
Yellow screen: Self-signed firmware showing the full root of trust hash.
Red screen: Without signature
Hopefully it will be implemented like the qualcom code showing the full root of trust, not like googles implementation [1].
[0] Flusso di avvio | Android Open Source Project
[1] Google Issue Tracker
Anyone here know where the BIOS chip is located on the Framework? I’m wondering if it’s socketed or soldered.
I just opened an issue ticket on the coreboot issue tracker to communicate with the coreboot community directly.
@nrp Could you tell me whom in the coreboot community, did you provide the 3 Framework Laptops to? You wrote the topic in [1]. Could you tell me the names and the belonging company or organization if it is needed. A person in the coreboot community wants to know it.[2] Thanks.
[1] We've handed three systems that can boot unsigned bootloaders to folks in the co... | Hacker News
[2] Support #387: Support Framework Laptop - coreboot - Issue Tracker
I renamed this thread title “Free the EC!” and “Coreboot Only” to “Coreboot on the Framework Laptop”. I know we are familiar with the previous thread title. But the reason is because I want to use this thread as the coreboot main thread, and I expect a discussion involving people outside the Framework community might happen on this thread in near future. A clear name is better for that.
Good bye the thread title ‘“Free the EC!” and “Coreboot Only”’, hello the new title “Coreboot on the Framework Laptop”. By the way, the official name is not “Coreboot” but “coreboot” according to the coreboot - Wikipedia . However the Discourse didn’t allow it.
Dear Community Moderators (@Fraoch @2disbetter @Mirage @Munee), could you change this thread to wiki? I want to add a summary of the coreboot topic on the Framework Laptop to the first comment for everyone to be on the same page.
Done. 
I wouldn’t worry about the capitalization of the C in coreboot though. Everyone knows there is only one coreboot, and in english, at least, proper nouns are capitalized.
Thanks! I updated the first comment now. It looks better right?
I just thought calling a project correctly was important to respect people in a project or organization as well as calling a person’s name correctly. Such as “GitHub” not “Git Hub”, “Arm” not “ARM”, and “Framework” not “frame.work” (this is just website’s domain). But yeah I am okay for that.
When can we expect Coreboot support if ever?
It’s still not clear. You can see this thread’s first comment (wiki) for details.
Related to my comment above, I asked Framework support some questions to clarify the coreboot things. The outcome is below.
Here are my questions and Framework support’s answers.
Whom nrp provided the 3 Framework Laptops to in the coreboot community?
Framework support answered, “I will not be able to provide information on which end users were provided hardware, as this would be a breach of our privacy policy.”.
Do the 3 Framework Laptops which nrp sent to the people in the coreboot disable Intel BootGuard fully? Will ask nrp.
Framework support answered, “I can confirm that the three units provided didn’t have Intel BootGuard enabled, however these were based on pre-production hardware designs.”.
Is the current documentation (not full) without an agreement good enough to port coreboot?
Framework support didn’t answer this question.
Can individuals in the coreboot community access the full schematics and board views with an agreement? The kb article 2 says it is for repair shops.
Framework support answered, “We did not provide full schematics, as these are only
provided - under NDA - to repair partners.”.
Framework’s support’s first email.
Hi Jun,
Thank you for your patience, I will not be able to provide information on which end users were provided hardware, as this would be a breach of our privacy policy. I can confirm that the three units provided didn’t have Intel BootGuard enabled, however these were based on pre-production hardware designs. We did not provide full schematics, as these are only provided - under NDA - to repair partners.
While aligned with our mission, coreboot is not something we are actively developing at this time.
Regards,
Framework Support
Framework support’s third email.
Hi Jun,
Sorry we do not have additional responses for you at this time. If and when we actively develop coreboot in the future, we will announce and discuss this on our community. Thank you.
Regards,
Framework Support
I also updated this thread’s first wiki comment and commented on the coreboot issue ticket.
Dang, Framework please put more effort into coreboot. It would otherwise be a missed market opportunity IMHO. So many people would love a fully open source laptop. E.g. every single security researcher I’ve asked.